[00:00] Welcome, Jennifer Franks

Rachael Lyon:
Hello everyone. Welcome to this week's episode of the To the Point podcast. Hi, I'm Rachael Lyon, here with my co-host, Jon Knepher. John, hello.

Jonathan Knepher:
Hi Rachel, how are you doing today?

Rachael Lyon:
I'm well, I'm well, I'm just loving these news cycles we're having about AI and other things, and I just read something before we got on this recording, and I want to get your opinion as a parent of children. Well, actually, they're adults now. I guess so. So, France apparently is looking at banning social media for anyone under the age of 15, and apparently Australia's already enacted this. Spain, Netherlands, UK are advancing similar approaches. And as a parent, what are your thoughts? Cause I watched that social media documentary. Well, all of the kind of founders of social media don't actually let their kids on social media, which I thought was really interesting. But as a parent, kind of, how do you see that actually playing out in reality?

Jonathan Knepher:
Yeah, I mean, so as a parent, I think you have to prepare your kids for the world, and you have to be interactive with them. And I think outright banning it is not the right thing because then, when suddenly they're thrown into it, they're not going to be prepared. So I think you have to find a way to do a soft start and parent engagement, and a controlled kind of get into it and teach them how to cope with it. And that's what we did with our kids, and I think it worked pretty well.

Rachael Lyon:
That's great. And. Or they will find a way to get on it anyway.

Jonathan Knepher:
Well, that is true because we had teenagers crafty.

Rachael Lyon:
Exactly.

Jonathan Knepher:
We had a rule like no TikTok, but guess what? They figured out how to like get a VPN and get on TikTok.

Rachael Lyon:
Wow.

Rachael Lyon:
Of course, your kids did. Absolutely. You know me, I love the talk. I'm not going to lie, I'm here for it. Well, without further ado, let's get into this week's guest. I am so excited to welcome to the podcast Jennifer Franks. She is a director in the Government Accountability Office's Information Technology and Cybersecurity team. She oversees engagements that primarily focus on emerging cybersecurity issues and assessing an agency's ability to protect the confidentiality, integrity, and availability of its sensitive data and computing infrastructure.

Rachael Lyon:
She also leads the center for Enhanced Cybersecurity, which provides technical support to GAO's cybersecurity engagements. And additionally, she leads government-wide and agency-specific reviews in the areas of IT management and operations, data protection, privacy, and cybersecurity issues related to the COVID-19 pandemic. Wow, you're busy. Welcome to the podcast.

Jennifer Franks:
Jennifer, thank you so much for having me. And yes, you sometimes don't remember how much you have going on until it's read out loud, so thank you for that introduction.

Rachael Lyon:
Absolutely.

[03:26] Inside GAO: The Execution Gap in Federal Cybersecurity

Jonathan Knepher:
Yeah. Jennifer, lots going on there. So thank you for all of the work you've been doing. Dig right in here. As your perspective as director of the Center for Enhanced Cybersecurity at GAO, what are you seeing most commonly as challenges or difficulties on all the various agencies meeting the cybersecurity requirements that are needed?

Jennifer Franks:
So that's a good question to start with. For me, in the work that I'm doing, what stands out most across the agencies is that the gap isn't awareness like it used to be; it's in the execution in agencies. All of us really understand the requirements, we understand the frameworks, and we understand the risk. But where things are really starting to break down for all of us is implementing our requirements consistently across very decentralized and fragmented environments. Some of us are very large agencies, some of us are very small. We have the mid-size and the environments are just so complex, and the requirements and the criteria continues to change, and it just makes that impact implementation a little bit more difficult. And with the work that we do, when you look across the agencies, we're just continuing to see challenges with visibility and just knowing what the systems are and where they exist, who has access to them, do they actually need that access? And then how that data is flowing through the systems, and even looking at the data at rest, and that's honestly becoming just more difficult for us across the government because of how we're managing our data, how we're managing our systems in the hybrid and cloud environments, where data is just no longer centralized.

Rachael Lyon:
Yeah, it's a big challenge, particularly when we looking at AI as well. Right. And the proliferation of data. I'd be curious in kind of what you're seeing in terms of as we evolve and adapt, there's the structural elements of change, and then there's the cultural shifts in change. I'd be interested in the perspective you have in helping agencies strengthen their cyber hygiene in lasting ways.

Jennifer Franks:
That's a good question as well. And to be honest, what actually drives sustained improvement is when we are incorporating cybersecurity and, you know, a part of our organizational practices every single day. It's not just an annual security refresher training. It's not something separate that you're doing. It's not even compliance-driven. It's where we, as the agencies, are making the most progress, where we have a strong leadership that are, you know, helping us and encouraging us to understand our posture, understand the mission risk. Because it's not just technical, it's. You have to start with how decisions are made and then how that information is passed down to all of the elements across your organization.

Jennifer Franks:
We also see success in accountability when you're not just meeting with the CIOs and the CISOs, and that includes a lot of our agencies. There's a revolving door of leadership. So you have to really work and have some dialogue and accountability measures across all of your mission and operation teams at all levels. Because this is where the cyber hygiene becomes a shared responsibility with all of us.

Jonathan Knepher:
A couple of years ago, you had highlighted some challenges around implementation of Zero Trust and trying to move forward on those objectives. Can you talk about some of the things that might still be persistent obstacles on that type of security model, and are those still the obstacles today, or have things changed?

Jennifer Franks:
Good question. I love Zero Trust, and I do, I do, I do a lot of speaking and education around the what is and how we're doing it. And you know, looking at the marathon, not a sprint, because it's a continually evolving security measure and, and what it is we saw for years, it became a buzzword, and the challenge was for folks to understand what it simply meant. And initially, agencies, we were not approaching it just correctly. We were approaching it as a set of tools and technologies we needed to have to enhance our security protections. But we really need to be focusing on Zero Trust as an architectural shift. So what we're seeing today, cause this evolved, I mean, there's been some years we've been talking about this thing for a lot more clarity around the Zero Trust models and its pillars and some of the guidance and criteria that has been institutionalized for us to follow. We've seen progress, especially in the identity area.

Jennifer Franks:
Identity is you authenticating into your environment and using stronger controls to do so. But the challenge, even with Identity, is not that, okay, we're progressing here, but how do we operationalize it to continue evolving with the evolution of your technology? You mentioned AI. How are we evolving those additional protections? We're also seeing that the integration of signals in systems, how identity, how the devices, and even behaviors are coming together to really help us to inform better decision making. To be honest, a lot of these elements are also helpful for those of us that are building AI use cases, because even with your AI tool, it's a new technology, you still have to have adequate security protections to, you know, make sure that that data, that system is adequately protected.

Rachael Lyon:
Yeah, yeah, I mean, it's definitely the mind shift change that, is quite significant when you start looking at it from that perspective.

Jennifer Franks:
Absolutely.

[09:39] Assessing Vulnerabilities and Driving Accountability 

Rachael Lyon:
I'd be interested too. So you mentioned a little bit about accountability, but how does the GAO determine severity of cybersecurity vulnerabilities and then prioritize recommendations to agencies? That seems like it would be a lot.

Jennifer Franks:
It's a lot. But let me tell you, we like to make it fun. Now I will tell you, agencies don't always love to see us coming. They feel like, oh, here we go again, GAO's back. But to be honest, we're there to help, you know, and for the teams that are doing the work, I know it's inundated for the agencies, but we try to make it engaging and fun. And we're just trying to help you to improve your security environment, your posture. So when we're looking at the vulnerabilities, we're not just assessing their technical severity; we're assessing the risk in the full context of your agency's computing infrastructure. And that sensitivity really does start with the data management elements.

Jennifer Franks:
So the criticality of your systems, the high-value assets, and the potential for a service disruption on your mission operations should an event occur. And you know, for a long time, it's not when or it's not if, it's when type of thing. Right. So we have to just stay abreast of all of the events that are likely to impact us. Like looking at the vulnerabilities, what would this look like if this particular vulnerability was exploited in my environment? How do we consider whether it represents a broader pattern across the agency, or even how it could contribute to vulnerabilities in other agencies? Because all of us collaborate and we're working together, we do information sharing. So just because one agency is hit by a vulnerability does not mean the other one escapes it. So our goal in the newer timeframe is really to focus on the issues that are really creating the greatest risk to that environment, to the mission, to the operations, and really looking at that forward projection for carrying the foundation of where you need to go as you really mitigate those vulnerabilities in your environment.

Jonathan Knepher:
So you talk about helping the other agencies here, and they, and you know, not, not being the bad guy, I guess. Right. But how, how do you help, how do you help them when there's basically a continuous onslaught of, of new vulnerabilities and new things? And I'm sure that there is a long tail of things that are remaining outstanding. Like how, how do you help them achieve progress?

Jennifer Franks:
That's a good question. I'm actually known across the agency as the director that issues the most recommendations. You know, but when you're thinking about cyber, it's hard to go into the agencies, especially the larger ones, and not find anything. I'm going to find something. And it's really about helping you to improve your security postures in various capacities where you perhaps have some limited visibility, limited awareness. And what we've seen in the recommendations follow-up process is that agencies do want to improve. We want to show that we're improving for the customers we serve, and the operational capacity of your organization. And even when we're facing and discussing with Congress, we want them to know that we are approving.

Jennifer Franks:
So when recommendations are viewed by the agencies as a compliance requirement, they tend to stall them and likely create a new program or migrate to something else, where that particular recommendation may not be implemented. But when we really drive the recommendation to focus on operational and technical risk, the areas are more focused, they gain more attention, and more traction to be mitigated faster. And also, where we see progress, to be honest, is you can't just issue a report and just stop dialogue. We have to have that continual dialogue and follow-up. And for me, I found it useful to develop solid relationships with the CIOs and CISOs and other technical specialists that are key to that vulnerability being mitigated in your environment, so that we can collaborate as you're moving forward to closing the recommendations. We work to understand where your environment is, what it is you need to do to mitigate this weakness, and how we can then close this recommendation so it's no longer a threat to your environment.

Rachael Lyon:
With things changing and evolving, I mean, seemingly it feels more like faster in a lot of ways. And I'm just kind of curious from an agency perspective, how can these leaders better connect workforce priorities, requirements, but also culture, which is critical in accelerating modernization efforts? I mean, it's sometimes like, is it like turning the Titanic or? You know what I mean. But it is a mind shift change a little bit. And I'd be interested in your perspective.

Jennifer Franks:
There it is. You use the Titanic as your example. So the biggest thing with that is the goal for this modernization effort and the culture shift is for us not to sink right. So we got to work together and what it is. We found that one of the biggest disconnects is technology adoption and then workforce readiness. A lot of folks do not have workforce planning efforts underway. And with the evolution of cybersecurity and the need to upscale your talent for the evolution of the threats and the technologies that are going to be in your environment, agencies have to consider how we're implementing new tools and frameworks, but keeping our workforce actively involved and prepared to, to then use those tools and frameworks effectively. And you spoke about the cultural component.

Jennifer Franks:
So very important because what I've seen and even experienced for myself, teams are really used to working in silos, especially cybersecurity. A lot of us, I don't appear to be an introvert, but a lot of us are right, and we have those ambivert features where we come out when needed. But we, we like working by ourselves to get it done. It's a quiet environment. I know what I need to do, and I can kill the noise. And when you're doing things in silos and organizationally for such a major evolution for your organization, it becomes difficult to then implement cross-cutting initiatives because you're not talking, you're not collaborating. And this starts with the leadership. You have to bridge the gap and align the workforce development needs with your mission and your technology.

Jennifer Franks:
Because mission drives the technology with what it is you need to do critically for your agency. Then we can align the best technology for you to provide those quality deliverables, so it becomes a priority for you. And then you're tying that training and those education and that knowledge to your real work. And it's not just theoretical or happenstance. These are real-life issues that you take advantage of learning about.

[17:09] Emerging Threats: AI, Quantum, and Supply Chain Risks

Jonathan Knepher:
Can we talk some about what you're seeing as emerging threats and trends? There's a lot going on in the AI space. We're coming up upon the quantum security becoming an issue. And even in the last couple of weeks here, we've seen so many supply chain attacks, attacks, and compromises of Node Package Manager and so on. What needs to be focused on and prioritize and how do we stay ahead of all of those threats?

Jennifer Franks:
So very important, everything that you just said, they evolve daily. And the biggest priority right now is focusing on strengthening your baseline. If you stick to the fundamentals, identity management, data protection, and having that core visibility across your systems, you will be able to thwart those supply chain attacks and the phishing attempts, and the AI vulnerabilities that are going to be soon impacting us in a little bit more of a granular scale. You're thinking about AI and the technologies that even come with AI. You still have to think about the cybersecurity fundamentals. I mentioned that earlier. What we're seeing is AI can accelerate both defenses and even attack vectors. So if you have weakness in your baseline controls, you become weak, and the vulnerability becomes even more significant to your environment.

Jennifer Franks:
And it honestly again goes back to your leadership, focusing on that collaborative environment, understanding how to get that clear visibility, reducing those blind spots into what's happening at all levels, and really having, and showing that awareness of how we can respond quickly and pivot when needed. A lot of the work I do, government-wide, you see with the statistics of such in the last few years, we have a great path to responding to events that occur. But some of us do still struggle in the recovery efforts. And that's critical when we have such finite missions that support the American people

Rachael Lyon:
with things like AI moving so quickly. Jennifer, I mean, I know in business, in general, there's a lot of pressure to start adopting AI and find the efficiencies and all of these other things. Naturally, the role of GAO is going to have to also evolve, probably as quickly as these things are developing. And so how do you see the GAO role evolving as you see more and more agencies kind of accelerating to try to rely on automation and AI as part of their cybersecurity strategies?

Jennifer Franks:
That's a good question. And we have definitely done quite a bit of work in this area to think about that evolution. And you're right, agencies are adopting more automation and AI. They're developing and implementing use cases in their environment. So what is going to be key is oversight of the evolution of this technology. And you know, that's where we come in from that accountability and evaluative, and assessment phase. It's no longer going to just be about evaluating from the cybersecurity efforts if your controls exist, if they're in place, if they're secure to the baseline controls that the guidance says we're going to have to evaluate, starting at the decisions of how they're made and how ethical implications were considered and biases as well. So we're going to be looking more closely again at that data quality.

Jennifer Franks:
How are you managing the data, your governance structures, and even the transparency of your automated systems? We want agencies to move towards faster automation technology and services. But at the same time, there's a consideration that collectively, agencies just may not be able to explain how their decisions are made. They just know they were made. And you have to be able to explain the what, the when, the how to really ensure, you know, this system can be accountable, and then ethically, you know, representing what it is we need them to represent at that time. So it'll be a, it's going to be a journey, a long journey. I feel.

[21:34] Start with Visibility: Actionable Advice for Leaders

Jonathan Knepher:
Okay, so it's... So it is a long journey. I think we all agree. So where do people start? Like, what's the actionable advice for both agency leaders and industry leaders? What do they need to do right now and make sure they're doing right now?

Jennifer Franks:
Visibility it Start with visibility. Reducing the blind spots. I really cannot stress that enough. And I say that because again we talked about zero trust. You can't protect what you don't know you have, and who needs access to it. When we go into federal agencies, a large part of the start of my findings and recommendations start with inventory management. If you reduce those blind spots and have that awareness of your hardware and your software data assets, and then you can strengthen your identity and data management processes, that's going to be clutch to enhancing your visibility across your enterprises. Agencies are going to have to understand who has this access.

Jennifer Franks:
You may have the access today, and you don't need it tomorrow. Then, when you do have this access, what are you using it for? Are you using it for the sole reasons of your engagement? And then we can identify some of the anomalies that perhaps exist in this environment to detect what shouldn't be happening. Many of the agencies already have tools that really can support these processes. We just need to all integrate them and use them a little bit more effectively, and further integrate them. And what's helpful is starting with one system, starting with one project or data set that really can provide us some high value return on our investments across our agencies. If you try to jump into the deep end of the ocean and you're trying to automate everything and put everything in AI at one time, you're likely not going to have a lot of success and you're not going to continue to build that momentum because you're going to continually have to review and redo and reevaluate what it is you're doing because you've done too much at once.

Rachael Lyon:
But it's so tempting to do that. Yeah, you just throw it all in there and see what happens.

Jennifer Franks:
You know, I wasn't always an AI enthusiast, but you know it's here to stay, right? So you have to adapt, and you have to understand what is and how it's going to shape the future. It's, it's here. But what does that mean for you individually, as a person? What does it mean for your professional environment? So really, you know, taking that advantage to understand and giving that advice to help us to just move forward with that visibility again in your enterprise, so that you can understand where the AI tools could best be utilized.

Rachael Lyon:
Exactly.

Jonathan Knepher:
What's your advice on the AI tools and AI use for young people? Like those folks in college, they're just starting their career or they're still studying. Like, what's the right mix of AI and conventional things?

Jennifer Franks:
That's a good question. You know, I been in school in quite a long time, but, like, what

Jonathan Knepher:
are you expecting new folks out of school? Yeah,

Jennifer Franks:
a wealth of knowledge, like, not that, you know, and these younger folks probably don't even know what an encyclopedia is, but, you know, being that encyclopedia in a way that you can help us to advance our mission. So all of us are doing the work, and we've been doing it this way for however many years, but coming out of school and really having some depth and breadth into various technologies can really help us to accelerate in many different capacities because they're thinking about it and diving into it in ways that we just have. Not even for those of us that start to upskill and train, unless you're locking in and going to a full program and focusing, you're learning to apply it very differently than somebody who was ingrained in learning and doing and developing and building and testing to complete a program at that undergraduate or graduate level. I also came into the government straight from graduate school, and I was focused on information assurance and cybersecurity, and privacy. And, you know, a lot of that was early 2000s. It was new for us, you know, shopping online and the digital currencies, and where's our information being stored? And, you know, no one was reading privacy policies of the little fine print at the bottom of the page, but we were just buying stuff online and using our information. But what does that mean? So I was able to help, you know, educate and take folks who didn't understand and didn't have that foundational knowledge at such a deep level to help us to kind of just enhance the quality of our work. So these younger folks, yeah, AI is here.

Jennifer Franks:
Show us what you can do. Come in and help us to do. You know, it's government. We like. I don't know why, we like to take the long way out in everything we do. So, yes, I'm hopeful for the young folks who are excited about it to come in and show us. No, I can do this in a day. Oh, thank you.

Jennifer Franks:
And let's move forward.

Rachael Lyon:
Thank you.

Jennifer Franks:
You know, exactly. We need you. Where have you been all my life?

Rachael Lyon:
It's exciting to kind of think of where, because generationally, and you know, like my generation, I'm Gen X, I'll just say it. You know, we didn't have call waiting. We had VCRs. And you know, and I imagine growing up with all this at your fingertips at. At such a formative age, when you're just like this sponge, learning and navigating through the world, what that means kind of for what's next in the next five, 10 years? I think it's going to be very exciting.

Jennifer Franks:
I think it's going to be very exciting too. But you touch on something very important. I'm a millennial, and we also grew up without all the technology. I did have call waiting, though, so I'm very sorry I didn't have call waiting, but I can't imagine not having it. But, you know, we're going to have to focus on getting the workforce ready when the technology doesn't deliver. Our younger generation, so ingrained, so experienced, so knowledgeable of the tech, some of them are going to struggle with these soft skills that are going to be needed to really help us to move the technologies forward. So as leaders, I'm big on investing in my people. Everyone that knows Team Jennifer knows I'm a people-first leader.

Jennifer Franks:
And as technology is moving fast, cyber is moving, AI, you mentioned quantum. We are going to have to focus on the workforce so that they understand, they trust us, they understand the what, the when, the why, and. And they can effectively then help us to introduce these tools in our environment. And that's gonna be so important. Cause the generations, they have the questions they wanna know. And some of us are used to saying, just do it this way. Cause I said do it this way, and that's not gonna be how they communicate.

[29:10] Cybersecurity Culture, Career Paths, and People-First Leadership

Rachael Lyon:
No, very true. Very different. Coming back to culture a little bit, I think this kind of opens the door on the AI front as well. When it comes to security and other things. You can look at it as kind of bolted on after the fact, or you could bake it in as part of the beginning of a process. And that extends to cultural environments as well. In terms of are we empowering our people to have visibility? Oops, you clicked on something you shouldn't. Maybe there's a proactive pop-up that comes up and say, hey, you probably didn't mean to do this, but here's a coaching moment.

Rachael Lyon:
But. But I'd be interested in what you've seen in any of the agencies on how they're fostering a strong cybersecurity culture and or AI adoption culture that we could learn from.

Jennifer Franks:
I've seen a lot in my bio, you mentioned the COVID-19 work, so let me give you an example. One, I cannot believe it was six years ago, and when I started with the portfolio, I was doing healthcare cyber prior to the virus came out. But the enhancement of being on panels, in presentations across the government with those in the healthcare industry, the nonprofit industry, the academia, local, state, and federal governments, it was clear to us earlier on they understood they needed a system, the system needed to put out this data, and they wanted their data when they needed it. But no one ever considered how am I going to protect this system? What happens if the system goes down? What happens if it's overload with capacity and there's a bandwidth issue, and all the interconnectedness that needs to happen? They didn't understand any of that. Oftentimes, I was in a room with healthcare professionals, MDs, and nurses who are like, I just want my data. But they never put the cyber person. I would be the only IT and cyber person having a conversation, trying to help you to understand how your data is even transmitted across the systems and what that meant for your environment. So, with using that example, we've seen an enhancement of the culture, you know, cybersecurity controls.

Jennifer Franks:
The fundamentals again have to be embedded in your daily operations, and it's not something that you just leave to the cybersecurity analysts and specialists. It has to be a part of your full life cycle of your program for every employee to understand they have a role in this. So it's a leadership priority. It's team collaboration across your functions, but it's clear accountability across the agency at all levels, so that we're creating an environment where people understand this is my role. So like you said, when I click on this link, because I thought I had a package, and the package was not really from a human or someone that I identify and now they're trying to get my information. Do I continue clicking? I do not. I do not. So we.

Jennifer Franks:
I have seen a lot of coaching like you said, the pop-ups will come and say, oh, that was a phishing exercise. And they will send staff to like a little refresher training, look, 5, 10 minute, 15 minute. So that you can be reminded, because sometimes you forget, we move fast.

Rachael Lyon:
So fast, think so fast.

Jennifer Franks:
You don't concentrate. You're like, I get a package every day. You know, I shop. But did it really come to your work email? It probably didn't. You know, so as you're moving and thinking about it, it's just so ingrained in you and your daily culture. And to be honest, if y' all think about it as well, with our smart devices at home, you got your computers. I have three, four computers in this house, three phones, all the things. You gotta protect your digital footprint, you know, so this starts even in your personal life and carries to your professional.

Rachael Lyon:
That's a great reminder, I think, 100%, because we. It's. I've been reading a lot about neuroscience and things, and how our brains, they just love a shortcut. They just love the easiest path forward. And sometimes you got to take a step back and be. Hold on, hold on. Yeah, I need to think about this a little bit differently.

Jennifer Franks:
Absolutely. We're working on something internal for GAO, and we were reviewing earlier this week, and the steps to implement a process. It was like nine pages of instructions. And I said, no, you've lost me after page one. What is this? Why is this? We had questions. So you have to figure out a way to show the impact, show the emphasis on the why you need to do this, but condense it so that people get it and they understand.

Rachael Lyon:
That's right. Tldr. That's right. Did you. You know, I'm always ready to segue into personal stuff. John. He knows me.

Jonathan Knepher:
Yeah.

Rachael Lyon:
So jumping forward, because I'm always cognizant of time, I want to be respectful of your time. So looking back on your career, because you've had kind of, I mean, let's be honest, a pretty amazing career and all the things that you've been through, are there kind of pivotal moments or decisions that you made that kind of shaped your career trajectory when it comes to working in different administrations and changing cybersecurity policies and environments? I'm just kind of curious because usually there's a couple things that might stand out as pivotal that kind of put you on a path.

Jennifer Franks:
I would agree. One of my biggest lessons has been the importance of adaptability. And I'm a certified Gallup strengths coach, and adaptability is actually in one of my top fives. And because of that, the flexibility and just the openness of understanding and being willing to change, I am okay with my no dull days. Priorities involve. Technologies change, policies shift, people leave, people come, people go. But the principles of what we're doing, why we're doing it, how we're doing it, the accountability of it all, really has remained constant for me. And another thing that really, to be honest, shaped my personal career, it just goes back to how I personally entered federal service.

Jennifer Franks:
I actually started my career as part of the National Science Foundation Cyber Corps program. And at the time when I was in graduate school, that's two years. I only had to serve the federal government for that same two years. But almost 20 years later, I'm still here, and I love it. And I'm honestly proud of all that I personally have been able to accomplish with the assistance of some amazing, amazing people on my teams. And along the way, I've had mentors, I've had coaches who poured into me in ways that, you know, I personally didn't recognize at the time. You know, sometimes you don't recognize your own strength, but they really shaped how I show up, how I lead. And when I interned, my early goal was to become an assistant director, a GS15 equivalent.

Jennifer Franks:
And once I reached that, I was like, what else is next? My perspective started to shift, my desires, my wants, my goals. And I just really do feel incredibly honored to be here and just lead teams, excited to do the work in meaningful ways. Cybersecurity is really the heart of what we do, how we do, and incorporating data analytics and AI. And all the work for me is just never about, you know, just the cyber. It becomes about the excitement of serving and making that impact. And that's really what's been really most impactful for my career trajectory.

Rachael Lyon:
Yeah, it's. It's. Cyber is such an interesting thing, too. Just kind of coming back on that. I mean, you, you. The things that you've seen since you started to present day. I mean, I can't even. This is crazy town.

Rachael Lyon:
But, you know, and I guess shameless plug to maybe the younger folks listening to the podcast and kind of thinking about maybe entering cybersecurity. It changes so much so quickly. I can't think of another industry where you're so challenged all the time, and you're constantly learning, and to your point, adapting out of necessity. But it's also kind of makes it what makes it fun and kind of a fun ride to be part of.

Jennifer Franks:
Absolutely. I'm telling you, sometimes you're like, oh, my goodness, I want a dull day. But when you're thinking about it, the evolution of the security controls and just how we show up in the different areas of cyber. Cyber has just evolved so much. Oftentimes, younger folks come and talk to me about, oh, I want to do cyber. Well, what about cyber are you interested in? Like, what part? And they hear about working in a data center. Okay, what does that mean for you? What role would you want to serve in a data center? In a security operations center of sorts. Of course, some people do start in SOCs, but there's other areas that you can really explore.

Jennifer Franks:
And yes, it's a learning environment. We never stop learning, we never stop growing and enhancing the others because sometimes resources are limited. So we can send a group of people one place or another, and you come back, and you collaborate and share your learned story skills. It is so critically important. So if you don't like learning, you don't like reading, you don't like evolving almost weekly, monthly cyber probably isn't for you. But we're always going to be involved, we're going to be needed. It's going to be something that continuously grows with the technologies and the oversight that we need to have in various areas. Whether you are private or public sector, nonprofit or academia, you have to think about all of these areas every single day.

Jennifer Franks:
And to be honest, technology is only just going to grow. So.

Rachael Lyon:
Yeah, yeah. One more observation and I'm curious what you've seen on your side. And again, trying to think of other industries that operate like this, but it's. We've had people who are CISOs at really large organizations and they have PhDs in like the violin or, you know, medieval history or things like that. But. And they're so good at their jobs because they're also coming at it from a different lens and the creative problem solving and you don't really put those two together. But when you apply it to cyber, it can be very impactful. And I'd be kind of curious if you've been noticing kind of similar trends over on the government side.

Jennifer Franks:
Not as much lately. I will say most of the folks that I personally, and this is just Jennifer interact with, either were educated in some type of cybersecurity area, computer science, digital forensics of sort, whatever, cyber, or they got certifications and they were able to strengthen their knowledge foundation there. I do remember earlier in my career, some of my earlier managers, yes, one of them had a geography degree and he was a PhD. He was so. But really good at understanding information management and privacy protections. You know, thinking about the geographic landscape of how the critical infrastructure sectors connect in their data is so critically important for the services that they render. So I've seen it for sure, just not recently for myself. But it happens.

Jennifer Franks:
I know I have people, I have friends from school or networking opportunities. People pivot all the time. They've gone to school for psychology or sociology and they're like, I want to get into something technical to do something else. But to be honest, those skill sets are also very neat. I talked about the workforce and building strong, cohesive teams and developing people. You having a foundation in sociology and psychology, you can build some amazing, confident teams because you're going to be listening and to understand and the work will come. So yes, and that's one of the reasons why I personally, yes, I do technical trainings, but I also have a full technical leadership portfolio while I focus on the people management and the soft skills and making sure that what it is we're doing connects to the full picture for the broader mission. Because yes, we have tech, but the risk of not supporting and developing the people is so much greater because those are the ones that are going to push us forward.

Rachael Lyon:
Exactly. And they're going to enjoy doing it too, because it's. Yeah, exactly. I love a people first approach. It's building, building really strong, high performing teams. I mean, you're unstoppable.

Jennifer Franks:
Yes. If the people, to be honest, it's real simple. If they know you care, like genuinely care, that work is going to be of the highest quality that you can imagine. But if you're showing up and they know that everyone's decentralized and it's just, you know, morally or emotionally draining, complex environment, that work is going to show up a little different and it's not going to be as effective that it could have been. So we have to think about those things because cyber can weigh on you because there's so much every day you think about what keeps you up at night, it's the overwhelming of the people. That person can be so overwhelmed. How can I alleviate some of those pressures from you so that I'm not burning you out? So that's also very critical.

Rachael Lyon:
It really is. It really is. Well, Jennifer, I know we're on time. I want to thank you for your awesome insights. These kind of conversations I know our listeners very much value. So thank you. We really appreciate your time today.

Jennifer Franks:
Well, I appreciate you for having me. Thank you so much.

Rachael Lyon:
And drumroll, please, John, to all of our listeners out there, smash that subscribe button and you get a fresh episode every single Tuesday. So until next time, everyone stay safe. Thanks for joining us on the to the Point Cybersecurity podcast brought to you by forcepoint. For more information and show notes from today's episode, please visit forcepoint.com/podcast and don't forget to subscribe and leave a review on Apple Podcasts or your favorite listening platform.

About Our Guest

Jennifer Franks, Director, Center for Enhanced Cybersecurity, Government Accountability Office

Jennifer R. Franks is a Director in GAO’s Information Technology and Cybersecurity team. She oversees engagements that primarily focus on emerging cybersecurity issues and assessing an agency’s ability to protect the confidentiality, integrity, and availability of its sensitive data and computing infrastructure. She also leads the Center for Enhanced Cybersecurity, which provides technical support to GAO’s cybersecurity engagements. In addition, she leads government-wide and agency-specific reviews in the areas of IT management and operations, data protection, privacy, and cybersecurity issues related to the COVID-19 pandemic.

Jennifer joined GAO in 2006. She has led audit teams that perform reviews at an array of federal agencies, including the Department of Health and Human Services, National Institutes of Health, Centers for Disease Control and Prevention, Internal Revenue Service, Veterans Affairs, and Office of Personnel Management.

Jennifer earned a master’s degree from Carnegie Mellon University in information security policy and management, and a bachelor’s degree from Hampton University in computer information systems.